Remove home manager from the steam deck.

This is to reduce waiting time.

ansible/environments/colo/host_vars/mrmanager

@@ -14,8 +14,6 @@ pf_config: "mrmanager_pf.conf"
 pflog_conf:
   - name: 0
     dev: pflog0
-  - name: 1
-    dev: pflog1
 cputype: "amd"
 hwpstate: true
 etc_hosts: {}
@@ -38,10 +36,6 @@ jail_list:
     enabled: true
     conf:
       src: public_dns
-  - name: rg
-    enabled: true
-    conf:
-      src: rg
 bhyve_dataset: zdata/vm
 bhyve_canmount: "on"
 # efi_dev: /dev/gpt/EFI

ansible/playbook.yaml

@@ -53,7 +53,7 @@
     - javascript
     - launch_keyboard
     - lvfs
-    # - restaurant_health_rating
+    - restaurant_health_rating
     - wasm
     - noise_suppression
 
@@ -104,7 +104,6 @@
     - wireguard
     - emacs
     - mrmanager
-    - ndproxy
 
 - hosts: admin_git:public_dns
   vars:

ansible/roles/base/files/gitconfig_home

@@ -1,54 +1,36 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
-	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
-	algorithm = histogram
-	colorMoved = plain
-	mnemonicPrefix = true
-	renames = true
+	tool = meld
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
-	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
         # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
-[column]
-	ui = auto
-[branch]
-	sort = -committerdate
-[tag]
-	sort = version:refname
-[fetch]
-	prune = true
-	pruneTags = true
-	all = true
-[rebase]
-	autoSquash = true
-	autoStash = true
-	updateRefs = false

ansible/roles/base/files/gitconfig_work

@@ -1,38 +1,34 @@
 [user]
 	email = ThomasA.Alexander@hmhn.org
 	name = Tom Alexander
-	signingkey = 36C99E8B3C39D85F
+	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple # (default since 2.0)
+	default = simple
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
-        authorcount = shortlog --summary --numbered --all --no-merges
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
-	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
+
+# Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld # Use meld for `git difftool` and `git mergetool`
-	algorithm = histogram
-	colorMoved = plain
-	mnemonicPrefix = true
-	renames = true
+	tool = meld
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
-	conflictStyle = zdiff3
 [mergetool "meld"]
         # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
@@ -40,19 +36,3 @@
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [includeIf "gitdir:/bridge/"]
 	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
-[includeIf "gitdir:/persist/"]
-	path = /bridge/git/machine_setup/ansible/roles/base/files/gitconfig_home
-[column]
-	ui = auto
-[branch]
-	sort = -committerdate
-[tag]
-	sort = version:refname
-[fetch]
-	prune = true
-	pruneTags = true
-	all = true
-[rebase]
-	autoSquash = true
-	autoStash = true
-	updateRefs = false

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -153,7 +153,6 @@ function start_vm {
             -D \
             -c $CPU_CORES \
             -m $MEMORY \
-            -S \
             -H \
             -P \
             -o 'rtc.use_localtime=false' \
@@ -217,7 +216,7 @@ EOF
 mkpeer ${host_interface_name}: bridge ether link0
 name ${host_interface_name}:ether $bridge_name
 EOF
-        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
     fi
 }
 

ansible/roles/bhyve/files/bhyverc.bash

@@ -1,478 +0,0 @@
-#!/usr/bin/env bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Share a host directory to the guest via 9pfs.
-#
-# Inside the VM run:
-#   mount -t virtfs -o trans=virtio sharename /some/vm/path
-#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
-#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
-# bhyve_options="-s 28,virtio-9p,sharename=/"
-
-# Enable Sound
-# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
-
-# Example usage:
-#
-#   doas bhyverc create-disk zdata/vm/poudriere /vm/poudriere 10
-#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
-#   doas bhyverc start poudriere zdata/vm/poudriere /vm/poudriere
-
-
-: ${VERBOSE:="NO"} # or YES
-if [ "$VERBOSE" = "YES" ]; then
-    set -x
-fi
-
-: ${CPU_CORES:="1"}
-: ${MEMORY:="1G"}
-: ${NETWORK:="NAT"} # or RAW or BOTH
-: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
-: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
-: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
-: ${VNC_ENABLE:="NO"}
-: ${VNC_LISTEN:="127.0.0.1:5900"}
-: ${VNC_WIDTH:="1920"}
-: ${VNC_HEIGHT:="1080"}
-: ${BIND9P:=""}
-: ${PREVENT_OOM:="NO"}
-: "${CD:=}"
-
-: ${SHUTDOWN_TIMEOUT:="600"} # 10 minutes
-
-
-
-############## Setup #########################
-
-
-function die {
-    local status_code="$1"
-    shift
-    (>&2 echo "${@}")
-    exit "$status_code"
-}
-
-function log {
-    (>&2 echo "${@}")
-}
-
-############## Program #########################
-
-function main {
-    local cmd
-    cmd=$1
-    shift
-    if [ "$cmd" = "start" ]; then
-        init
-        start "${@}"
-    elif [ "$cmd" = "stop" ]; then
-        init
-        stop "${@}"
-    elif [ "$cmd" = "status" ]; then
-        init
-        status "${@}"
-    elif [ "$cmd" = "console" ]; then
-        init
-        console "${@}"
-    elif [ "$cmd" = "_start_body" ]; then
-        init
-        start_body "${@}"
-    elif [ "$cmd" = "create-disk" ]; then
-        create_disk "${@}"
-    else
-        (>&2 echo "Unknown command: $cmd")
-        exit 1
-    fi
-}
-
-function start {
-    local num_vms="$#"
-    if [ "$num_vms" -eq 0 ]; then
-        log "No VMs specified."
-        return 0
-    fi
-
-    while [ "$#" -gt 0 ]; do
-        local name="$1"
-        shift 1
-        log "Starting VM $name."
-        start_one "$name"
-        [ "$#" -eq 0 ] || sleep 5
-    done
-}
-
-function start_one {
-    local name="$1"
-    local tmux_name="$name"
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
-    # /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=NO VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /home/talexander/launch_opnsense.bash"
-}
-
-function launch_pidfile {
-    local pidfile="$1"
-    shift 1
-    mkdir -p "$(dirname "$pidfile")"
-    cat > "${pidfile}" <<< "$$"
-    set -x
-    exec "${@}"
-}
-export -f launch_pidfile
-
-function stop {
-    local num_vms="$#"
-    if [ "$num_vms" -eq 0 ]; then
-        log "No VMs specified."
-        return 0
-    fi
-
-    while [ "$#" -gt 0 ]; do
-        local name="$1"
-        shift 1
-        log "Stopping VM $name."
-        stop_one "$name"
-        [ "$#" -eq 0 ] || sleep 5
-    done
-}
-
-function stop_one {
-    local name="$1"
-    local pidfile="/run/bhyverc/${name}/pid"
-
-    if [ ! -e "$pidfile" ]; then
-        log "Pid file $pidfile does not exist."
-        return 0
-    fi
-
-    local bhyve_pid
-    bhyve_pid=$(cat "$pidfile")
-
-    if ps -p "$bhyve_pid" >/dev/null; then
-        # Send ACPI shutdown command
-        log "Sending ACPI shutdown to ${name}:${bhyve_pid}."
-        kill -SIGTERM "$bhyve_pid"
-    fi
-
-    local timeout_start timeout_end
-    timeout_start=$(date +%s)
-    while ps -p "$bhyve_pid" >/dev/null; do
-        timeout_end=$(date +%s)
-        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
-            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
-            break
-        fi
-
-        log "Waiting for ${name}:${bhyve_pid} to exit."
-        sleep 2
-    done
-
-    bhyvectl "--vm=$name" --destroy || true
-
-    local timeout_start timeout_end
-    timeout_start=$(date +%s)
-    while ps -p "$bhyve_pid" >/dev/null; do
-        timeout_end=$(date +%s)
-        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
-            log "${name}:${bhyve_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
-            break
-        fi
-
-        log "Waiting for ${name}:${bhyve_pid} to hard power down."
-        sleep 2
-    done
-
-    rm -f "$pidfile"
-
-    log "Finished stopping $name."
-}
-
-function status {
-    local num_vms="$#"
-
-    if [ "$num_vms" -gt 0 ]; then
-        for name in "$@"; do
-            status_one "$name"
-        done
-    else
-        log "No VMs specified."
-    fi
-}
-
-function status_one {
-    local name="$1"
-    local pidfile="/run/bhyverc/${name}/pid"
-
-    if [ ! -e "$pidfile" ]; then
-        log "$name is not running."
-        return 0
-    fi
-
-    local bhyve_pid
-    bhyve_pid=$(cat "$pidfile")
-
-    if ! ps -p "$bhyve_pid" >/dev/null; then
-        log "$name is not running."
-        return 0
-    fi
-
-    log "$name is running as pid $bhyve_pid."
-}
-
-function console {
-    local num_vms="$#"
-
-    if [ "$num_vms" -gt 0 ]; then
-        for name in "$@"; do
-            log "Attaching to console of VM $name."
-            console_one "$name"
-        done
-    else
-        log "No VMs specified."
-    fi
-}
-
-function console_one {
-    local name="$1"
-    local tmux_name="$name"
-    exec tmux a -t "$tmux_name"
-}
-
-function init {
-    mkdir -p /run/bhyverc
-}
-
-############## Bhyve ###########################
-
-function create_disk {
-    local zfs_path="$1"
-    local mount_path="$2"
-    local gigabytes="$3"
-    zfs create -o "mountpoint=$mount_path" "$zfs_path"
-    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
-    tee "${mount_path}/settings" <<EOF
-CPU_CORES="$CPU_CORES"
-MEMORY="$MEMORY"
-NETWORK="$NETWORK"
-IP_RANGE="$IP_RANGE"
-BRIDGE_NAME="$BRIDGE_NAME"
-INTERFACE_NAME="$INTERFACE_NAME"
-EOF
-    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
-}
-
-function start_body {
-    local name="$1"
-    local zfs_path="zdata/vm/$name"
-    local mount_path="/vm/$name"
-
-    if [ -e "${mount_path}/settings" ]; then
-        source "${mount_path}/settings"
-    fi
-
-    local mount_cd="$CD"
-
-    local host_interface_name="$INTERFACE_NAME" # for raw, external interface
-    local bridge_name="$BRIDGE_NAME"
-    local ip_range="$IP_RANGE" # for raw this value does not matter
-
-    local mac_address
-    mac_address=$(calculate_mac_address "$name")
-
-    if [ "$PREVENT_OOM" = "YES" ]; then
-        protect -d -i -p "$$"
-    fi
-
-    local entry parsed_item
-    local additional_args=()
-    local next_pcie_slot=10
-
-    if [ "$NETWORK" = "NAT" ]; then
-        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-    elif [ "$NETWORK" = "RAW" ]; then
-        assert_raw "$host_interface_name" "$bridge_name"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-    elif [ "$NETWORK" = "BOTH" ]; then
-        assert_bridge "jail_nat" "$bridge_name" "$ip_range"
-        assert_raw "$host_interface_name" "bridge_raw"
-        local bridge_link_name=$(detect_available_link "${bridge_name}")
-        local raw_bridge_link_name=$(detect_available_link "bridge_raw")
-        local raw_mac_address=$(calculate_mac_address "${name}_raw")
-        additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
-        additional_args+=("-s" "3:0,virtio-net,netgraph,path=bridge_raw:,peerhook=${raw_bridge_link_name},mac=${raw_mac_address}")
-    else
-        die 1 "Unrecognized NETWORK type $NETWORK"
-    fi
-
-    if [ -n "$BIND9P" ]; then
-        if [[ "$BIND9P" = *":"* ]]; then
-            IFS=':' read -ra entry <<<"$BIND9P"
-            for item in "${entry[@]}"; do
-                IFS='=' read -ra parsed_item <<<"$item"
-                additional_args+=("-s" "${next_pcie_slot},virtio-9p,${parsed_item[0]}=${parsed_item[1]}")
-                next_pcie_slot=$((next_pcie_slot+1))
-            done
-        else
-            additional_args+=("-s" "${next_pcie_slot},virtio-9p,bind9p=${BIND9P}")
-            next_pcie_slot=$((next_pcie_slot+1))
-        fi
-    fi
-
-
-    # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
-         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
-             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
-            # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
-
-    # TODO: Look into using nmdm instead of stdio for serial console
-    if [ -n "$mount_cd" ]; then
-        additional_args+=("-s" "5,ahci-cd,$mount_cd")
-    fi
-    if [ "$VNC_ENABLE" = "YES" ]; then
-        additional_args+=("-s" "${next_pcie_slot},fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
-        next_pcie_slot=$((next_pcie_slot+1))
-    fi
-    vms+=("$name")
-    while true; do
-        local pidfile="/run/bhyverc/${name}/pid"
-        trap "set +e; stop_one '${name}'" EXIT
-
-        local launch_cmd=()
-        launch_cmd+=(
-            launch_pidfile "$pidfile"
-            bhyve
-            -D
-            -c "$CPU_CORES"
-            -m "$MEMORY"
-            -S
-            -H
-            -o 'rtc.use_localtime=false'
-            -s "0,hostbridge"
-            -s "4,nvme,/dev/zvol/${zfs_path}/disk0"
-            -s "${next_pcie_slot},xhci,tablet"
-            -s "$((next_pcie_slot+1)),lpc" -l "com1,stdio"
-            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd"
-            "${additional_args[@]}"
-            "$name"
-        )
-        set +e
-        rm -f "$pidfile"
-        (
-            IFS=$' \n\t'
-            set -ex
-            bash -c "${launch_cmd[*]}"
-        )
-        local exit_code=$?
-        log "Exit code ${exit_code}"
-        set -e
-        if [ $exit_code -eq 0 ]; then
-            echo "Rebooting."
-            sleep 5
-        elif [ $exit_code -eq 1 ]; then
-            echo "Powered off."
-            break
-        elif [ $exit_code -eq 2 ]; then
-            echo "Halted."
-            break
-        elif [ $exit_code -eq 3 ]; then
-            echo "Triple fault."
-            break
-        elif [ $exit_code -eq 4 ]; then
-            echo "Exited due to an error."
-            break
-        fi
-    done
-}
-
-function detect_available_link {
-    local bridge_name="$1"
-    local linknum=1
-    while true; do
-        local link_name="link${linknum}"
-        if ! ng_exists "${bridge_name}:${link_name}"; then
-            echo "$link_name"
-            return
-        fi
-        linknum=$((linknum + 1))
-        if [ "$linknum" -gt 90 ]; then
-            (>&2 echo "No available links on bridge $bridge_name")
-            exit 1
-        fi
-    done
-}
-
-function assert_bridge {
-    local host_interface_name="$1"
-    local bridge_name="$2"
-    local ip_range="$3"
-
-    if ! ng_exists "${bridge_name}:"; then
-        ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook $host_interface_name
-EOF
-        ngctl -d -f - <<EOF
-mkpeer ${host_interface_name}: bridge ether link0
-name ${host_interface_name}:ether $bridge_name
-EOF
-        ifconfig "$(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2)" name "${host_interface_name}" "$ip_range" up
-    fi
-}
-
-function assert_raw {
-    local extif="$1"
-    local bridge_name="$2"
-
-    kldload -n ng_bridge ng_eiface ng_ether
-
-    if ! ng_exists "${bridge_name}:"; then
-        ngctlcat <<EOF
-# Create a bridge.
-mkpeer $extif: bridge lower link0
-# Assign a name to the bridge.
-name $extif:lower ${bridge_name}
-# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
-connect $extif: ${bridge_name}: upper link1
-
-# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
-msg $extif: setpromisc 1
-
-# Do not overwrite source address on packets
-msg $extif: setautosrc 0
-EOF
-    fi
-}
-
-function ng_exists {
-    ngctl status "${1}" >/dev/null 2>&1
-}
-
-function calculate_mac_address {
-    local name="$1"
-    local source
-    source=$(md5 -r -s "$name" | awk '{print $1}')
-    echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
-}
-
-function find_available_port {
-    local start_port="$1"
-    local port="$start_port"
-    while true; do
-        sockstat -P tcp -p 443
-        port=$((port + 1))
-    done
-}
-
-function ngctlcat {
-    if [ "$VERBOSE" = "YES" ]; then
-        tee /dev/tty | ngctl -d -f -
-    else
-        ngctl -d -f -
-    fi
-}
-
-main "${@}"

ansible/roles/bhyve/files/bhyverc.sh

@@ -1,37 +0,0 @@
-#!/bin/sh
-#
-# REQUIRE: LOGIN FILESYSTEMS
-# PROVIDE: bhyverc
-# KEYWORD: shutdown
-
-. /etc/rc.subr
-name=bhyverc
-rcvar=${name}_enable
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
-status_cmd="${name}_status"
-console_cmd="${name}_console"
-extra_commands="console"
-load_rc_config $name
-
-bhyverc_start() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc start "${@}"
-}
-
-bhyverc_status() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc status "${@}"
-}
-
-bhyverc_stop() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc stop "${@}"
-}
-
-bhyverc_console() {
-    export PATH="$PATH:/usr/local/bin"
-    exec /usr/local/bin/bhyverc console "${@}"
-}
-
-run_rc_command "$@"

ansible/roles/bhyve/tasks/freebsd.yaml

@@ -22,25 +22,6 @@
   loop:
     - src: bhyve_netgraph_bridge.bash
       dest: /usr/local/bin/bhyve_netgraph_bridge
-    - src: bhyverc.bash
-      dest: /usr/local/bin/bhyverc
-
-- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: bhyverc.sh
-      dest: bhyverc
-
-- name: Enable bhyverc
-  community.general.sysrc:
-    name: bhyverc_enable
-    value: "YES"
-    path: /etc/rc.conf.d/bhyverc
 
 - name: Create zfs dataset
   zfs:

ansible/roles/build/files/aurutils-sync

@@ -5,4 +5,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-GPGKEY=4278299FB84F6875 exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"
+GPGKEY=27DE40D9B8455C1B exec aur sync --makepkg-conf /etc/aurutils/makepkg.conf -c --sign "$@"

ansible/roles/build/files/gpg.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
-=OfDR
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/files/gpg_work.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
-=OfDR
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/build/tasks/linux.yaml

@@ -40,11 +40,11 @@
   command: pacman-key -a -
   args:
     stdin: "{{ lookup('file', pgp_key|default('gpg.asc')) }}"
-  when: '"D272C8D6167F26859467666F4278299FB84F6875" not in pacmankeys.stdout'
+  when: '"B848159363C2877917954BE127DE40D9B8455C1B" not in pacmankeys.stdout'
   register: my_key_imported
 
 - name: Sign my signing key
-  command: pacman-key --lsign-key "D272C8D6167F26859467666F4278299FB84F6875"
+  command: pacman-key --lsign-key "B848159363C2877917954BE127DE40D9B8455C1B"
   when: my_key_imported.changed
 
 - name: Build the aurutils package
@@ -103,8 +103,7 @@
     - /var/cache/pacman/custom/
 
 - name: Create custom repo db
-  # shell: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
-  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar
+  command: repo-add --new --sign /var/cache/pacman/custom/custom.db.tar "/home/{{ build_user.name }}/.config/ansible_deploy/aurutils/aurutils-*-any.pkg.tar.*"
   become: true
   become_user: "{{ build_user.name }}"
   args:

ansible/roles/chromium/files/chromium-flags.conf

@@ -1,2 +1,2 @@
 --ozone-platform-hint=auto
---enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder
+--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE

ansible/roles/emacs/files/elisp/base-extensions.el

@@ -51,27 +51,17 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
   ;; This is an emacs built-in but we're pulling the latest version
-  :pin gnu
   :config
   (savehist-mode))
 
 (use-package which-key
-  :pin gnu
   :diminish
   :config
   (which-key-mode))
 
 (use-package windmove
-  ;; This is an emacs built-in but we're pulling the latest version
-  :pin gnu
-  :bind
-  (
-   ("S-<up>" . windmove-up)
-   ("S-<right>" . windmove-right)
-   ("S-<down>" . windmove-down)
-   ("S-<left>" . windmove-left)
-   )
-  )
+  :config
+  (windmove-default-keybindings))
 
 (setq tramp-default-method "ssh")
 

ansible/roles/emacs/files/elisp/base.el

@@ -63,9 +63,6 @@
  show-trailing-whitespace t
  ;; Remove the line when killing it with ctrl-k
  kill-whole-line t
-
- ;; Show the current project in the mode line
- project-mode-line t
  )
 
 ;; (setq-default fringes-outside-margins t)

ansible/roles/emacs/files/elisp/lang-nix.el

@@ -7,15 +7,15 @@
   :commands nix-mode
   :hook (
          (nix-mode . (lambda ()
-                       (eglot-ensure)
-                       (defclass my/eglot-nix (eglot-lsp-server) ()
-                         :documentation
-                         "Own eglot server class.")
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
 
-                       (add-to-list 'eglot-server-programs
-                                    '(nix-mode . (my/eglot-nix "nixd")))
-                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
-                       ))
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
          )
   )
 

ansible/roles/emacs/files/elisp/lang-org.el

@@ -1,23 +1,16 @@
 (use-package org
   :ensure nil
   :commands org-mode
-  :bind (:map org-mode-map
+  :bind (
          ("C-c l" . org-store-link)
          ("C-c a" . org-agenda)
-         ("S-<up>" . org-shiftup)
-         ("S-<right>" . org-shiftright)
-         ("S-<down>" . org-shiftdown)
-         ("S-<left>" . org-shiftleft)
+         ("C--" . org-timestamp-down)
+         ("C-=" . org-timestamp-up)
          )
   :hook (
          (org-mode . (lambda ()
                        (org-indent-mode +1)
-                       ))
-         ;; Make windmove work in Org mode:
-         (org-shiftup-final . windmove-up)
-         (org-shiftleft-final . windmove-left)
-         (org-shiftdown-final . windmove-down)
-         (org-shiftright-final . windmove-right)
+                        ))
          )
   :config
   (require 'org-tempo)
@@ -45,8 +38,6 @@
 
   ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
   ;; (setq org-latex-compiler "lualatex")
-  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
-  ;; (setq org-preview-latex-default-process 'dvisvgm)
   (setq org-latex-pdf-process
         '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
           "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -87,8 +78,4 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 
-(use-package htmlize
-  ;; For syntax highlighting when exporting to HTML.
-  )
-
 (provide 'lang-org)

ansible/roles/emacs/files/elisp/util-tree-sitter.el

@@ -4,8 +4,6 @@
   :commands (treesit-install-language-grammar treesit-ready-p)
   :init
   (setq treesit-language-source-alist '())
-  :custom
-  (treesit-max-buffer-size 209715200) ;; 200MiB
   :config
   ;; Default to the max level of detail in treesitter highlighting. This
   ;; can be overridden in each language's use-package call with:

ansible/roles/emacs/files/init.el

@@ -38,8 +38,4 @@
 
 (require 'lang-nix)
 
-(require 'lang-cmake)
-
-(require 'lang-d2)
-
 (load-directory autoload-directory)

ansible/roles/emacs/tasks/linux.yaml

@@ -15,7 +15,6 @@
       - typescript-language-server
       - shellcheck
       - vscode-css-languageserver
-      - d2 # Generating diagrams
     state: present
 
 - name: Create directories

ansible/roles/firefox/defaults/main.yaml

@@ -7,6 +7,7 @@ firefox_config:
   dom.security.https_only_mode_ever_enabled: true
   extensions.activeThemeID: "firefox-compact-dark@mozilla.org"
   # Disable ads
+  extensions.pocket.enabled: false
   browser.newtabpage.activity-stream.showSponsored: false
   browser.newtabpage.activity-stream.showSponsoredTopSites: false
   browser.newtabpage.activity-stream.feeds.section.topstories: false
@@ -20,6 +21,8 @@ firefox_config:
   privacy.globalprivacycontrol.enabled: true
   # Disable "studies" (slice testing)
   app.shield.optoutstudies.enabled: false
+  # Disable attribution which is used by advertisers to track you.
+  dom.private-attribution.submission.enabled: false
   # Disable battery status, used to track users.
   dom.battery.enabled: false
   # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
@@ -37,8 +40,6 @@ firefox_config:
   privacy.fingerprintingProtection: true
   # Allow sending dark mode preference to websites.
   # Allow sending timezone to websites.
-  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked"
+  privacy.fingerprintingProtection.overrides: "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked"
   # Disable weather on new tab page
   browser.newtabpage.activity-stream.showWeather: false
-  browser.ml.chat.enabled: false
-  browser.ml.enabled: false

ansible/roles/firefox/tasks/linux.yaml

@@ -3,5 +3,4 @@
     name:
       - libfido2
       - firefox-developer-edition
-      - speech-dispatcher # For TTS
     state: present

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -2,8 +2,7 @@ ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
-# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
-pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142 }"
+pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -36,22 +35,18 @@ scrub in on $ext_if all fragment reassemble
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
 rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 
-rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
 
-# log (to pflog1)
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
 
-rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
-rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
-
 nat pass tagged REDIRINTERNAL -> (jail_nat)
 nat pass tagged REDIREXTERNAL -> ($ext_if)
 
@@ -69,8 +64,6 @@ pass quick on $allow
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
 #   doas route add -net 10.129.0.0/16 -interface jail_nat
-#   ? doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
-#   ? doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139
@@ -80,10 +73,6 @@ pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from (jail_nat:network)
 
-#pass quick in on $ext_if proto {tcp6, udp6} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-pass in quick on $ext_if from any to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-pass out quick on jail_nat to 2620:11f:7001:7:ffff:ffff:0ad7:0100/120
-
 
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in

ansible/roles/framework_laptop/files/screen_brightness_tmpfiles.conf

@@ -1,2 +1,2 @@
 # Set screen brightness. Ever since enabling adaptive brightness management, my brightness ends up sinking lower on re-boots (I suspect it is saving the actual brightness rather than the set brightness). This forces the brightness back to the level I prefer.
-w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 21845
+w- /sys/class/backlight/amdgpu_bl0/brightness - - - - 85

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -34,7 +34,7 @@
 
 - name: Configure kernel command line
   zfs:
-    name: "zroot/linux/archwork/be"
+    name: "zroot/linux"
     state: present
     extra_zfs_properties:
       # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
@@ -44,7 +44,7 @@
       # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
       # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
       # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
-      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=2 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
+      "org.zfsbootmenu:commandline": "rw quiet amdgpu.abmlevel=3 pcie_aspm=force pcie_aspm.policy=powersupersave nowatchdog amdgpu.dcdebugmask=0x10"
 
 - name: Install Configuration
   copy:

ansible/roles/gpg/files/gpg.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
-=OfDR
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
+uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
+uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
+eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
+2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
+XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
+XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
+4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
+wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
+sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
+ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
+QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
+NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
+BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
+JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
+RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
+rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
+0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
+BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
+/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
+3aqYpMRxpn2t6Nswax1MIM8DBQ==
+=dzEV
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/gpg/files/gpg_work.asc

@@ -1,27 +1,27 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaNLjzBYJKwYBBAHaRw8BAQdAoegj6iXzJgxBkW8LyRS8ANRzp0LqyFbW1kRr
-Z4VtVRK0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7GoCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQQngpn7hPaHXNRAEAxOHPULwbf/FIzS7spmdSYrcCX/foaB78rpCT
-/MzDPvMBANy0PcseR1ZxoHZDcAsYDa0CSCrO6oLwPFriVss3RA0GtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiTBBMWCAA7AhsBBQsJCAcCBhUKCQgLAgQW
-AgMBAh4BAheAFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS7MkCGQEACgkQQngp
-n7hPaHX9fQEA4ngwEKr0nlKxH5bQV9u/EJeI3wbSgBjlnyTQuI79AB4BAO6+frGt
-8S+p6qFZ4ufqyGPfklxPeOJLSYk0PLKVNMcHuDMEaNLm8xYJKwYBBAHaRw8BAQdA
-HDhppS6yD8j1Bb/i6ku16uQ3qhshDNA9cOQeMxBae9aI9QQYFggAJhYhBNJyyNYW
-fyaFlGdmb0J4KZ+4T2h1BQJo0ubzAhsCBQkDwmcAAIEJEEJ4KZ+4T2h1diAEGRYI
-AB0WIQS9v3ap15pUELURqaY2yZ6LPDnYXwUCaNLm8wAKCRA2yZ6LPDnYXyaNAPsF
-gR37jEqfgEByVsoKY6bB82T79o9d4FQe1iPsURyuLwD/fkQyV3NwGjysxkoZqYmK
-mXJYqtWRBTe2G2UUkm6E/QafHwD+IbkCZ6sGTcexsqzex5x6U8TOvbdVS4dKjSf1
-nVRGxvwBAPiIJsXWVuwmskWMDpcaW/qgQ8hOEuq7/vlkZDGOnMgOuDgEaNLnDBIK
-KwYBBAGXVQEFAQEHQBcOCDGnrRwv51c5B7QVLMkLC2UKUzPPrahLZHT3RWhmAwEI
-B4h+BBgWCAAmFiEE0nLI1hZ/JoWUZ2ZvQngpn7hPaHUFAmjS5wwCGwwFCQPCZwAA
-CgkQQngpn7hPaHUZIAD/ZwQ9sLIwuO5qPFAAkqcaNyt68O6WkD8sKaq1r/TPviAA
-/j92d7cRUIkJtS8odRYlK51r9eMeTGh2npaO+j3VKCgBuDMEaNLnJRYJKwYBBAHa
-Rw8BAQdAPT7jOLbozd5hacityJHniQ6UbHN+AJcb6jh5rXOnOuSIfgQYFggAJhYh
-BNJyyNYWfyaFlGdmb0J4KZ+4T2h1BQJo0uclAhsgBQkDwmcAAAoJEEJ4KZ+4T2h1
-rREA/3QE6suVUDl4OS2tCi4z2fh/7kjt29I3IFo+/B0AOumgAP0ao8FGqJyFC8YA
-7V6T4qrXHbhlqTeofGhQ+iu7HqZVCw==
-=OfDR
+mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
+0H+RsWG0LVRob21hcyBBbGV4YW5kZXIgPFRob21hc0EuQWxleGFuZGVyQGhtaG4u
+b3JnPoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsFAmULicsCGwMFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQJ95A2bhFXBsUtQD9GWPdWc/nSmO0Gp7p
+DzxrieliriAnO+ZCHp31mFbMtToBAPxPYN9y4kgSiXhLiFLoRK5k5FCspksTSitg
+0CbXDE4LuDgEXZwWGhIKKwYBBAGXVQEFAQEHQK202EIAwTBuxARUygOvn+AloMJd
+ui39m+nMghn1MNo+AwEIB4h4BBgWCAAgFiEEuEgVk2PCh3kXlUvhJ95A2bhFXBsF
+Al2cFhoCGwwACgkQJ95A2bhFXBtNzAEAq5I6xPjIbb23xmhxh5cM/UJxdGedfWMy
+vF6/JtDvtPUBAPQRQn5AMwTOA+CSnliYf7ZjfVOlHscy60XWPlvXLoAJuDMEXZwW
+yhYJKwYBBAHaRw8BAQdAPyIL4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI
+9QQYFggAJgIbAhYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2
+IAQZFggAHRYhBIHmRDmWdVAusSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7e
+jJ4A/iq7N2mMhx+ovOXm1REoASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZ
+Luka/KVB/etkkJvDzvaTtiQQQG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/
+EZ3/d8wxfA9E3Fb/1mt4c2ZrNnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/
+duA4lwsLuDMEXZwXARYJKwYBBAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+
+UiQb8x0k1z2DmTKIfgQYFggAJgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJl
+C4ZwBQkLMdZgAAoJECfeQNm4RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SB
+PG4VvrCzXrmlAP46wUjIRpkMrTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2c
+FygSCisGAQQBl1UBBQEBB0AO0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWI
+EgMBCAeIfgQYFggAJgIbDBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkL
+MdY5AAoJECfeQNm4RVwbXscA/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcW
+d5t8APwIwcuFVZZA3yayhIxi3aqYpMRxpn2t6Nswax1MIM8DBQ==
+=0HtE
 -----END PGP PUBLIC KEY BLOCK-----

ansible/roles/jail/files/jails/rg.conf

@@ -1,15 +0,0 @@
-rg {
-    path = "/jail/${name}";
-    vnet;
-    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
-    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
-    vnet.interface += "jail${name}";
-
-    devfs_ruleset = 14;
-    mount.devfs;
-    mount.fstab = "/etc/fstab.${name}";
-
-    exec.start += "/bin/sh /etc/rc";
-    exec.stop = "/bin/sh /etc/rc.shutdown jail";
-    exec.consolelog = "/var/log/jail_${name}_console.log";
-}

ansible/roles/jail/templates/new_jail.bash.j2

@@ -26,7 +26,7 @@ function by_src {
 }
 
 function by_bin {
-    DESTRELEASE=14.3-RELEASE
+    DESTRELEASE=13.2-RELEASE
     DESTARCH=`uname -m`
     SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
     for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -94,54 +94,7 @@
                         // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
                         "hw-address": "06:85:69:c5:6a:d6",
                         "ip-address": "10.215.1.218"
-                    },
-                    {
-                        // hydra
-                        "hw-address": "06:84:36:68:03:77",
-                        "ip-address": "10.215.1.219"
-                    },
-                    {
-                        // certificate - hard-coded in rc.conf, reproduced here to reserve ip
-                        "hw-address": "06:7b:e0:08:16:5d",
-                        "ip-address": "10.215.1.220"
-                    },
-                    {
-                        // nix controller0 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01dd
-                        "hw-address": "06:7b:e0:08:16:01",
-                        "ip-address": "10.215.1.221"
-                    },
-                    {
-                        // nix controller1 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01de
-                        "hw-address": "06:7b:e0:08:16:02",
-                        "ip-address": "10.215.1.222"
-                    },
-                    {
-                        // nix controller2 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01df
-                        "hw-address": "06:7b:e0:08:16:03",
-                        "ip-address": "10.215.1.223"
-                    },
-                    {
-                        // nix worker0 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e0
-                        "hw-address": "06:7b:e0:08:16:04",
-                        "ip-address": "10.215.1.224"
-                    },
-                    {
-                        // nix worker1 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e1
-                        "hw-address": "06:7b:e0:08:16:05",
-                        "ip-address": "10.215.1.225"
-                    },
-                    {
-                        // nix worker2 - hard-coded in nix config, reproduced here to reserve ip
-                        // IPv6: 2620:11f:7001:7:ffff:ffff:0ad7:01e2
-                        "hw-address": "06:7b:e0:08:16:06",
-                        "ip-address": "10.215.1.226"
                     }
-
                 ]
             }
         ],

ansible/roles/javascript/tasks/linux.yaml

@@ -1,3 +1,19 @@
+- name: Build aur packages
+  register: buildaur
+  become_user: "{{ build_user.name }}"
+  command: "aurutils-sync --no-view {{ item }}"
+  args:
+    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+  loop:
+    - nvm
+
+- name: Update cache
+  when: buildaur.changed
+  pacman:
+    name: []
+    state: present
+    update_cache: true
+
 - name: Install packages
   package:
     name:

ansible/roles/kanshi/files/config_kanshi

@@ -1,11 +1,3 @@
-profile office {
-	output eDP-1 disable
-	output "Dell Inc. DELL C2722DE 6PH6T83" enable
-}
-profile office2 {
-	output eDP-1 disable
-	output "BOE 0x0BCA Unknown" enable
-}
 profile docked {
 	output eDP-1 disable
 	output "Dell Inc. DELL U3014 P1V6N35M329L" enable

ansible/roles/mrmanager/files/nfsd_rc.conf

@@ -1,4 +1 @@
 nfs_server_enable="YES"
-# nfsv4_server_enable="YES"
-# nfsv4_server_only="YES"
-nfs_server_flags="-u -t --minthreads 1 --maxthreads 32"

ansible/roles/mrmanager/tasks/freebsd.yaml

@@ -8,37 +8,37 @@
     - name: net.link.ether.inet.proxyall
       value: "1"
 
-# - name: Install service configuration
-#   copy:
-#     src: "files/{{ item }}_rc.conf"
-#     dest: "/etc/rc.conf.d/{{ item }}"
-#     mode: 0644
-#     owner: root
-#     group: wheel
-#   loop:
-#     - nfsd
-#     - mountd
-#     - lockd
-#     - statd
-#     - rpcbind
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - nfsd
+    - mountd
+    - lockd
+    - statd
+    - rpcbind
 
-# - name: Create zfs datasets
-#   zfs:
-#     name: zdata/k8spersistent
-#     state: present
-#     extra_zfs_properties:
-#       sharenfs: "-network 10.215.1.0/24,-alldirs,-maproot=root:root"
-#       mountpoint: /k8spersistent
+- name: Create zfs datasets
+  zfs:
+    name: zdata/k8spersistent
+    state: present
+    extra_zfs_properties:
+      sharenfs: "-network 10.215.1.0/24,-alldirs,-maproot=root:root"
+      mountpoint: /k8spersistent
 
-# - name: Update ownership
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0777
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /k8spersistent
+- name: Update ownership
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0777
+    owner: root
+    group: wheel
+  loop:
+    - /k8spersistent
 
 - name: Install scripts
   copy:

ansible/roles/ndproxy/defaults/main.yaml

@@ -1 +0,0 @@
-# foo: []

ansible/roles/ndproxy/handlers/main.yaml

@@ -1,14 +0,0 @@
-# - name: restart foo freebsd
-#   when: 'os_flavor == "freebsd"'
-#   listen: restart foo
-#   service:
-#     name: foo
-#     state: restarted
-
-# - name: restart ssh linux
-#   when: 'os_flavor == "linux"'
-#   listen: restart foo
-#   systemd:
-#     state: restarted
-#     name: foo
-#     daemon_reload: yes

ansible/roles/ndproxy/meta/main.yaml

@@ -1,2 +0,0 @@
-# dependencies:
-#   - users

ansible/roles/ndproxy/tasks/common.yaml

@@ -1,55 +0,0 @@
-# - name: Create directories
-#   file:
-#     name: "{{ item }}"
-#     state: directory
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - /foo/bar
-
-# - name: Install scripts
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0755
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.bash
-#       dest: /usr/local/bin/foo
-
-# - name: Install Configuration
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     mode: 0600
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: foo.conf
-#       dest: /usr/local/etc/foo.conf
-
-# - name: Clone Source
-#   git:
-#     repo: "https://foo.bar/baz.git"
-#     dest: /foo/bar
-#     version: "v1.0.2"
-#     force: true
-#   diff: false
-
-- import_tasks: tasks/freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/linux.yaml
-  when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user

ansible/roles/ndproxy/tasks/freebsd.yaml

@@ -1,15 +0,0 @@
-- name: Install packages
-  package:
-    name:
-      - ndproxy
-    state: present
-
-- name: Install service configuration
-  copy:
-    src: "files/{{ item }}_rc.conf"
-    dest: "/etc/rc.conf.d/{{ item }}"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - ndproxy

ansible/roles/ndproxy/tasks/linux.yaml

@@ -1,29 +0,0 @@
-# - name: Build aur packages
-#   register: buildaur
-#   become_user: "{{ build_user.name }}"
-#   command: "aurutils-sync --no-view {{ item }}"
-#   args:
-#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
-#   loop:
-#     - foo
-
-# - name: Update cache
-#   when: buildaur.changed
-#   pacman:
-#     name: []
-#     state: present
-#     update_cache: true
-
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
-
-# - name: Enable services
-#   systemd:
-#     enabled: yes
-#     name: "{{ item }}"
-#     daemon_reload: yes
-#   loop:
-#     - foo.service

ansible/roles/ndproxy/tasks/main.yaml

@@ -1,2 +0,0 @@
-- import_tasks: tasks/common.yaml
-  # when: foo is defined

ansible/roles/ndproxy/tasks/peruser.yaml

@@ -1,29 +0,0 @@
-- include_role:
-    name: per_user
-
-# - name: Create directories
-#   file:
-#     name: "{{ account_homedir.stdout }}/{{ item }}"
-#     state: directory
-#     mode: 0700
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - ".config/foo"
-
-# - name: Copy files
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
-#     mode: 0600
-#     owner: "{{ account_name.stdout }}"
-#     group: "{{ group_name.stdout }}"
-#   loop:
-#     - src: foo.conf
-#       dest: .config/foo/foo.conf
-
-- import_tasks: tasks/peruser_freebsd.yaml
-  when: 'os_flavor == "freebsd"'
-
-- import_tasks: tasks/peruser_linux.yaml
-  when: 'os_flavor == "linux"'

ansible/roles/network/files/main.conf

@@ -1,11 +1,6 @@
-[DriverQuirks]
-PowerSaveDisable=*
-
 [General]
-AddressRandomization=network
 EnableNetworkConfiguration=true
+# AddressRandomization=network
 
-[Rank]
-BandModifier2_4GHz=1.000000
-BandModifier5GHz=1.000000
-BandModifier6GHz=0.000000
+# Needed for Qualcomm WCN785x
+ControlPortOverNL80211=false

ansible/roles/package_manager/files/freeze_kernel.conf

@@ -1,2 +1,2 @@
 [options]
-IgnorePkg   = linux linux-headers chromium
+IgnorePkg   = linux linux-headers

ansible/roles/package_manager/files/pacman.conf

@@ -81,6 +81,12 @@ Include = /etc/pacman.d/mirrorlist
 [extra]
 Include = /etc/pacman.d/mirrorlist
 
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
 # If you want to run 32 bit applications on your x86_64 system,
 # enable the multilib repositories as required here.
 

ansible/roles/public_dns/files/master.db

@@ -23,9 +23,6 @@ $ORIGIN fizz.buzz.
 ; Allows receivers to know you send your mail via Fastmail, and other servers
 IN TXT v=spf1 include:spf.messagingengine.com ?all
 
-; Tell receivers what to do with fake email
-_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@fizz.buzz;"
-
 ns1     IN A     74.80.180.138
 ns2     IN A     74.80.180.138
 

ansible/roles/sftp/tasks/common.yaml

@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false
 
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0700
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /home/nochainstounlock/.ssh
+
+- name: Set authorized keys
+  authorized_key:
+    user: nochainstounlock
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
+    exclusive: true
+
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

ansible/roles/sway/files/config

@@ -23,7 +23,6 @@ set $menu wofi --show drun --gtk-dark
 
 # Do not show a title bar on windows
 default_border pixel 2
-hide_edge_borders smart_no_gaps
 
 bindsym $mod+grave exec $term
 

ansible/roles/sway/files/start_screen_share.bash

@@ -5,6 +5,6 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-makoctl mode -s do-not-disturb
+makoctl set-mode do-not-disturb
 
 swaymsg output "'Dell Inc. DELL U3014 P1V6N35M329L'" scale 2

ansible/roles/sway/files/stop_screen_share.bash

@@ -5,6 +5,6 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-makoctl mode -s default
+makoctl set-mode default
 
 swaymsg output "'Dell Inc. DELL U3014 P1V6N35M329L'" scale 1

ansible/roles/sway/tasks/linux.yaml

@@ -5,7 +5,7 @@
   args:
     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
   loop:
-    # - wlvncc-git
+    - wlvncc-git
     - wl-screenrec-git
 
 - name: Update cache
@@ -23,7 +23,7 @@
       - xorg-xeyes
       - xorg-xwayland
       - rofimoji
-      # - wlvncc-git
+      - wlvncc-git
       - wl-screenrec-git # screen recording
 
 - name: Install scripts

ansible/roles/vscode/files/keybindings.json

@@ -20,12 +20,6 @@
         "command": "-workbench.action.navigateBack",
         "when": "canNavigateBack"
     },
-  {
-    // This isn't quite right. In emacs it would go back to the last location you performed an action which could include navigation. This goes back to the place where you last changed the text. Either way, close enough.
-        "key": "ctrl+x ctrl+x",
-        "command": "workbench.action.navigateToLastEditLocation",
-        "when": "canNavigateToLastEditLocation"
-    },
     {
         "key": "shift+alt+/",
         "command": "editor.action.goToReferences",
@@ -282,15 +276,5 @@
     {
         "key": "ctrl+k ctrl+p",
         "command": "-workbench.action.showAllEditors"
-    },
-    {
-        "key": "shift+enter",
-        "command": "-python.execInREPL",
-        "when": "config.python.REPL.sendToNativeREPL && editorTextFocus && !isCompositeNotebook && !jupyter.ownsSelection && !notebookEditorFocused && editorLangId == 'python'"
-    },
-    {
-        "key": "shift+enter",
-        "command": "-python.execSelectionInTerminal",
-        "when": "editorTextFocus && !findInputFocussed && !isCompositeNotebook && !jupyter.ownsSelection && !notebookEditorFocused && !replaceInputFocussed && editorLangId == 'python'"
     }
 ]

ansible/roles/vscode/files/settings.json

@@ -18,7 +18,6 @@
   "workbench.editor.showTabs": "none",
   "workbench.activityBar.location": "hidden",
   "window.menuBarVisibility": "toggle",
-  "window.commandCenter": false,
   "explorer.autoReveal": false,
   "[python]": {
     "editor.defaultFormatter": "ms-python.black-formatter",
@@ -32,26 +31,11 @@
     "editor.defaultFormatter": "hashicorp.terraform",
     "editor.formatOnSave": true
   },
-  "[typescript]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
-  },
-  "[typescriptreact]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
-  },
-  "javascript.autoClosingTags": false,
-  "typescript.autoClosingTags": false,
   "black-formatter.importStrategy": "fromEnvironment",
   "workbench.statusBar.visible": false,
   "git.openRepositoryInParentFolders": "never",
   "files.autoSave": "afterDelay",
   "editor.rulers": [
     100
-  ],
-  "workbench.secondarySideBar.defaultVisibility": "hidden",
-  "editor.autoClosingBrackets": "never",
-  "editor.autoSurround": "never",
-  "workbench.editor.navigationScope": "editorGroup",
-  "python.analysis.typeCheckingMode": "standard"
+  ]
 }

ansible/roles/zfs/tasks/linux.yaml

@@ -27,8 +27,7 @@
   args:
     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
   loop:
-    # - zfs-dkms-git
-    - zfs-dkms
+    - zfs-dkms-git
     - zfs-utils
 
 - name: Update cache
@@ -41,8 +40,7 @@
 - name: Install packages
   package:
     name:
-      # - zfs-dkms-git
-      - zfs-dkms
+      - zfs-dkms-git
       - zfs-utils
     state: present
 

nix/configuration/.gitignore

@@ -0,0 +1 @@
+result

nix/configuration/README.org

@@ -0,0 +1,12 @@
+* To-do
+** Perhaps use overlay for /etc for speedup
+#+begin_src nix
+  system.etc.overlay.enable = true;
+#+end_src
+** read https://nixos.org/manual/nixos/stable/
+** Performance for mini pc
+#+begin_src nix
+  security.pam.loginLimits = [
+    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
+  ];
+#+end_src

nix/configuration/configuration.nix

@@ -0,0 +1,271 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    ./roles/2ship2harkinian
+    ./roles/alacritty
+    ./roles/amd_s2idle
+    ./roles/ansible
+    ./roles/ares
+    ./roles/base
+    ./roles/bluetooth
+    ./roles/boot
+    ./roles/build_in_ram
+    ./roles/chromecast
+    ./roles/chromium
+    ./roles/d2
+    ./roles/direnv
+    ./roles/disko
+    ./roles/distributed_build
+    ./roles/doas
+    ./roles/docker
+    ./roles/dont_use_substituters
+    ./roles/ecc
+    ./roles/emacs
+    ./roles/emulate_isa
+    ./roles/firefox
+    ./roles/firewall
+    ./roles/flux
+    ./roles/fonts
+    ./roles/gcloud
+    ./roles/git
+    ./roles/global_options
+    ./roles/gnome_keyring
+    ./roles/gnuplot
+    ./roles/gpg
+    ./roles/graphics
+    ./roles/hydra
+    ./roles/image_based_appliance
+    ./roles/iso
+    ./roles/iso_mount
+    ./roles/jujutsu
+    ./roles/kanshi
+    ./roles/kodi
+    ./roles/kubernetes
+    ./roles/latex
+    ./roles/launch_keyboard
+    ./roles/lvfs
+    ./roles/media
+    ./roles/memtest86
+    ./roles/minimal_base
+    ./roles/network
+    ./roles/nix_index
+    ./roles/nix_repl
+    ./roles/nix_worker
+    ./roles/nixdev
+    ./roles/nvme
+    ./roles/openpgp_card_tools
+    ./roles/optimized_build
+    ./roles/pcsx2
+    ./roles/podman
+    ./roles/postgresql_client
+    ./roles/python
+    ./roles/qemu
+    ./roles/recovery
+    ./roles/reset
+    ./roles/rpcs3
+    ./roles/rust
+    ./roles/sequoia
+    ./roles/shadps4
+    ./roles/shikane
+    ./roles/shipwright
+    ./roles/sm64ex
+    ./roles/sops
+    ./roles/sound
+    ./roles/spaghettikart
+    ./roles/ssh
+    ./roles/sshd
+    ./roles/steam
+    ./roles/steam_run_free
+    ./roles/sway
+    ./roles/tekton
+    ./roles/terraform
+    ./roles/thunderbolt
+    ./roles/user
+    ./roles/uutils
+    ./roles/vnc_client
+    ./roles/vscode
+    ./roles/wasm
+    ./roles/waybar
+    ./roles/wine
+    ./roles/wireguard
+    ./roles/yubikey
+    ./roles/zfs
+    ./roles/zrepl
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  config = {
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+      # "blake3-hashes"
+      # "git-hashing"
+    ];
+    nix.settings.trusted-users = [ "@wheel" ];
+    nix.settings.connect-timeout = 5;
+    nix.settings.min-free = 128000000;
+    nix.settings.max-free = 1000000000;
+    nix.settings.fallback = true;
+    nix.settings.warn-dirty = false;
+
+    hardware.enableRedistributableFirmware = true;
+
+    # Keep outputs so we can build offline.
+    nix.settings.keep-outputs = true;
+    nix.settings.keep-derivations = true;
+
+    # Automatic garbage collection
+    nix.gc = lib.mkIf (!config.me.buildingPortable) {
+      # Runs nix-collect-garbage --delete-older-than 5d
+      automatic = true;
+      persistent = true;
+      dates = "monthly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 30d";
+    };
+    nix.settings.auto-optimise-store = !config.me.buildingPortable;
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      directories = [
+        "/var/lib/nixos" # Contains user information (uids/gids)
+        "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+        "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+      ];
+      files = [
+        "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      ];
+    };
+
+    # Write a list of the currently installed packages to /etc/current-system-packages
+    # environment.etc."current-system-packages".text =
+    #   let
+    #     packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+    #     sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+    #     formatted = builtins.concatStringsSep "\n" sortedUnique;
+    #   in
+    #   formatted;
+
+    # nixpkgs.overlays = [
+    #   (final: prev: {
+    #     foot = throw "foo";
+    #   })
+    # ];
+
+    nixpkgs.overlays =
+      let
+        disableTests = (
+          package_name:
+          (final: prev: {
+            "${package_name}" = prev."${package_name}".overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+            });
+          })
+        );
+        disablePythonTests = (
+          package_name:
+          (final: prev: {
+            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+              (python-final: python-prev: {
+                "${package_name}" = python-prev."${package_name}".overridePythonAttrs (oldAttrs: {
+                  doCheck = false;
+                });
+              })
+            ];
+          })
+        );
+      in
+      [
+        # (final: prev: {
+        #   imagemagick = prev.imagemagick.overrideAttrs (old: rec {
+        #     # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
+        #     version = "7.1.2-7";
+
+        #     src = final.fetchFromGitHub {
+        #       owner = "ImageMagick";
+        #       repo = "ImageMagick";
+        #       tag = version;
+        #       hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
+        #     };
+        #   });
+        # })
+        # (final: prev: {
+        #   grub2 = (final.callPackage ./package/grub { });
+        # })
+        (disableTests "coreutils")
+        (disableTests "coreutils-full")
+        (disableTests "libuv")
+        (final: prev: {
+          inherit (final.unoptimized) libtpms libjxl;
+        })
+        (final: prev: {
+          slurp = prev.slurp.overrideAttrs (old: {
+            version = "1.5.0";
+            src = final.fetchFromGitHub {
+              owner = "emersion";
+              repo = "slurp";
+              rev = "v1.5.0";
+              hash = "sha256-2M8f3kN6tihwKlUCp2Qowv5xD6Ufb71AURXqwQShlXI=";
+            };
+          });
+        })
+        # Works but probably sets python2's scipy to be python3:
+        #
+        # (final: prev: {
+        #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+        #     (python-final: python-prev: {
+        #       scipy = final.unoptimized.python3Packages.scipy;
+        #     })
+        #   ];
+        # })
+
+        # Does not work:
+        #
+        # (final: prev: {
+        #   python3 = prev.python3.override {
+        #     packageOverrides = python-final: python-prev: {
+        #       scipy = final.unoptimized.python3.pkgs.scipy;
+        #     };
+        #   };
+        # })
+
+        # Maybe works?:
+        #
+        (final: prev: {
+          python3Packages = prev.python3Packages.override {
+            overrides = python-final: python-prev: {
+              scipy = final.unoptimized.python3.pkgs.scipy;
+            };
+          };
+        })
+      ];
+
+    # This option defines the first version of NixOS you have installed on this particular machine,
+    # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+    #
+    # Most users should NEVER change this value after the initial install, for any reason,
+    # even if you've upgraded your system to a new NixOS release.
+    #
+    # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+    # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+    # to actually do that.
+    #
+    # This value being lower than the current NixOS release does NOT mean your system is
+    # out of date, out of support, or vulnerable.
+    #
+    # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+    # and migrated your data accordingly.
+    #
+    # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+    system.stateVersion = "24.11"; # Did you read the comment?
+  };
+}

nix/configuration/flake.lock

@@ -0,0 +1,256 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769524058,
+        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "impermanence",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1770197578,
+        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/configuration/flake.nix

@@ -0,0 +1,127 @@
+# TODO maybe use `nix eval --raw .#odo.iso.outPath`
+
+#
+# Install on a new machine:
+#
+# Set
+#   me.disko.enable = true;
+#   me.disko.offline.enable = true;
+#
+# Run
+#   doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
+#   doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      disko,
+      impermanence,
+      lanzaboote,
+      ...
+    }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
+      nodes = {
+        odo = {
+          system = "x86_64-linux";
+        };
+        odowork = {
+          system = "x86_64-linux";
+        };
+        quark = {
+          system = "x86_64-linux";
+        };
+        recovery = {
+          system = "x86_64-linux";
+        };
+        i_only_boot_zfs = {
+          system = "x86_64-linux";
+        };
+        hydra = {
+          system = "x86_64-linux";
+        };
+      };
+      nixosConfigs = builtins.mapAttrs (
+        hostname: nodeConfig: format:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit self;
+
+            this_nixos_config = self.nixosConfigurations."${hostname}";
+
+            all_nixos_configs = self.nixosConfigurations;
+          };
+          modules = [
+            impermanence.nixosModules.impermanence
+            lanzaboote.nixosModules.lanzaboote
+            disko.nixosModules.disko
+            ./configuration.nix
+            (./. + "/hosts/${hostname}")
+            (./. + "/formats/${format}.nix")
+            {
+              config = {
+                nixpkgs.hostPlatform.system = nodeConfig.system;
+                nixpkgs.overlays = [
+                  (final: prev: {
+                    # stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                    unoptimized = import nixpkgs {
+                      system = prev.stdenv.hostPlatform.system;
+                      hostPlatform.gcc.arch = "default";
+                      hostPlatform.gcc.tune = "default";
+                    };
+                  })
+                ];
+              };
+            }
+          ];
+        }
+      ) nodes;
+      installerConfig =
+        hostname: nodeConfig:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            targetSystem = self.nixosConfigurations."${hostname}";
+          };
+          modules = [
+            ./formats/installer.nix
+            ({ nixpkgs.hostPlatform.system = nodeConfig.system; })
+          ];
+        };
+    in
+    {
+      nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
+    }
+    // {
+      packages = (
+        forAllSystems (
+          system:
+          (builtins.mapAttrs (hostname: nodeConfig: {
+            iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
+            vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
+            sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
+            installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
+          }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
+        )
+      );
+    };
+}

nix/configuration/formats/installer.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  targetSystem,
+  ...
+}:
+let
+  installer = pkgs.writeShellApplication {
+    name = "installer";
+    runtimeInputs = with pkgs; [
+      # clevis
+      dosfstools
+      e2fsprogs
+      gawk
+      nixos-install-tools
+      util-linux
+      config.nix.package
+    ];
+    text = ''
+      set -euo pipefail
+
+      ${targetSystem.config.system.build.diskoScript}
+
+      nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
+    '';
+  };
+  installerFailsafe = pkgs.writeShellScript "failsafe" ''
+    ${lib.getExe installer} || echo "ERROR: Installation failure!"
+    sleep 3600
+  '';
+in
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/all-hardware.nix")
+  ];
+
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
+  boot.zfs.package = pkgs.zfs_unstable;
+  boot.kernelParams = [
+    "quiet"
+    "systemd.unit=getty.target"
+  ];
+  boot.supportedFilesystems.zfs = true;
+  boot.initrd.systemd.enable = true;
+
+  networking.hostId = "04581ecf";
+
+  isoImage.makeEfiBootable = true;
+  isoImage.makeUsbBootable = true;
+  isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+
+  environment.systemPackages = [
+    installer
+  ];
+
+  systemd.services."getty@tty1" = {
+    overrideStrategy = "asDropin";
+    serviceConfig = {
+      ExecStart = [
+        ""
+        installerFailsafe
+      ];
+      Restart = "no";
+      StandardInput = "null";
+    };
+  };
+
+  # system.stateVersion = lib.mkDefault lib.trivial.release;
+  system.stateVersion = "24.11";
+}

nix/configuration/formats/iso.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.buildingPortable = true;
+    me.disko.enable = true;
+    me.disko.offline.enable = true;
+    me.mountPersistence = lib.mkForce false;
+    # me.optimizations.enable = lib.mkForce false;
+
+    # Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
+    # me.image_based_appliance.enable = true;
+
+    # TODO: Should I use this instead of doing a mkIf for the disk config?
+    # disko.enableConfig = false;
+
+    # Faster image generation for testing/development.
+    isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+  };
+}

nix/configuration/formats/sd.nix

@@ -0,0 +1,32 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+
+    # TODO: image based appliance?
+
+    # TODO: Maybe this?
+    # fileSystems = {
+    #   "/" = {
+    #     device = "/dev/disk/by-label/NIXOS_SD";
+    #     fsType = "ext4";
+    #     options = [
+    #       "noatime"
+    #       "norelatime"
+    #     ];
+    #   };
+    # };
+  };
+}

nix/configuration/formats/toplevel.nix

@@ -0,0 +1 @@
+{ }

nix/configuration/formats/vm_iso.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.image_based_appliance.enable = true;
+  };
+}

nix/configuration/hosts/hydra/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/default.nix

@@ -0,0 +1,138 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "6fbf418b";
+
+        hostName = "hydra"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.219";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01db";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    me.image_based_appliance.enable = lib.mkForce false;
+
+    environment.systemPackages = with pkgs; [
+      htop
+      git # for building on hydra
+      tmux # for building on hydra
+      nix-output-monitor # for building on hydra
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    # Override garbage collection to keep things longer
+    # Automatic garbage collection
+    nix.gc = lib.mkForce {
+      automatic = true;
+      persistent = true;
+      dates = "weekly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 60d";
+    };
+
+    # The default limit of files is 1024 which is too low for some nix builds.
+    #
+    # Check with `ulimit -n`
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "8192";
+      }
+    ];
+
+    # systemd.user.extraConfig = "DefaultLimitNOFILE=8192";
+    # systemd.services."user@11400".serviceConfig.LimitNOFILE = "8192";
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.hydra.enable = true;
+    me.minimal_base.enable = true;
+    me.nix_worker.enable = true;
+  };
+}

nix/configuration/hosts/hydra/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/configuration/hosts/hydra/vm_disk.nix

@@ -0,0 +1,95 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # environment.systemPackages = with pkgs; [
+    #   e2fsprogs # mkfs.ext4
+    #   gptfdisk # cgdisk
+    # ];
+
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      # "/.persist" = lib.mkForce {
+      #   device = "bind9p";
+      #   fsType = "9p";
+      #   options = [
+      #     "noatime"
+      #     "trans=virtio"
+      #     "version=9p2000.L"
+      #     "cache=mmap"
+      #     "msize=512000"
+      #     "uname=root"
+      #     "dfltuid=0"
+      #     "dfltgid=0"
+      #     "nodevmap"
+      #     # "noauto"
+      #     # "x-systemd.automount"
+      #   ];
+      #   neededForBoot = true;
+      # };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.disk/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/state"
+        ];
+        neededForBoot = true;
+      };
+
+      # "/nix/store" = lib.mkForce {
+      #   overlay = {
+      #     lowerdir = [ "/nix/.ro-store" ];
+      #     upperdir = "/.disk/persist/store";
+      #     workdir = "/.disk/state/work";
+      #   };
+      #   # fsType = "overlay";
+      #   # device = "overlay";
+      #   # options = [
+      #   #   "lowerdir=/nix/.ro-store"
+      #   #   "upperdir=/.disk/persist/store"
+      #   #   "workdir=/.disk/state/work"
+      #   # ];
+      #   depends = [
+      #     "/nix/.ro-store"
+      #     "/.disk/persist/store"
+      #     "/.disk/state/work"
+      #   ];
+      # };
+    };
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/default.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "6a05d86e";
+
+    networking.hostName = "i_only_boot_zfs"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    # boot.loader.generic-extlinux-compatible.enable = true;
+    # boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.optimizations = {
+      # enable = true;
+      # arch = "kabylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        # "gccarch-kabylake"
+        "gccarch-x86-64-v3"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Even when installed, we want to dhcp because this is for a VM.
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/disk-config.nix

@@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix

@@ -0,0 +1,13 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/power_management.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix

@@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

nix/configuration/hosts/neelix/DEPLOY_BOOT

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/DEPLOY_SWITCH

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/default.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "bca9d0a5";
+
+    networking.hostName = "neelix"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    me.optimizations = {
+      enable = false;
+      arch = "alderlake";
+      system_features = [
+        "gccarch-alderlake"
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "i915" ];
+
+    # Mount tmpfs at /tmp
+    # boot.tmp.useTmpfs = true;
+
+    me.base.enable = true;
+    me.bluetooth.enable = true;
+    me.boot.enable = true;
+    me.doas.enable = true;
+    me.emacs_flavor = "plainmacs";
+    me.firewall.enable = true;
+    me.font.enable = true;
+    me.git.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "intel";
+    me.kodi.enable = true;
+    me.lvfs.enable = true;
+    me.memtest.enable = true;
+    me.network.enable = true;
+    me.nvme.enable = true;
+    me.sound.enable = true;
+    me.ssh.enable = true;
+    me.sshd.enable = true;
+    me.user.enable = true;
+    me.wireguard.activated = [ "wgh" ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.zfs.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+  };
+}

nix/configuration/hosts/neelix/disk-config.nix

@@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}

nix/configuration/hosts/neelix/hardware-configuration.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "xhci_pci"
+      "nvme"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+      "sdhci_pci"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}

nix/configuration/hosts/neelix/power_management.nix

@@ -0,0 +1,35 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    # default performance balance_performance balance_power power
+    # defaults to balance_performance
+    # systemd.tmpfiles.rules = [
+    #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    # ];
+
+    boot.extraModprobeConfig = ''
+      options snd_hda_intel power_save=1
+    '';
+  };
+}

nix/configuration/hosts/odo/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json